Kim Dotcom claims he invented two-factor authentication—but he wasn’t first

Dotcom patent was invalidated in EU. He still wants to be paid for "invention."

Out of nowhere, Kim Dotcom last night claimed to have invented a widely used and very important security technology known as two-factor authentication.

Just after Twitter launched a two-factor system, Dotcom tweeted that Twitter is "Using my invention" and also that "they won't even verify my Twitter account." He followed up by calling the use of two-step authentication by Google, Facebook, Twitter, Citibank, and others a "Massive IP infringement by U.S. companies. My innovation. My patent."

Dotcom does have a US patent (using his original name of Kim Schmitz) on two-factor authentication, filed in 1998 and granted in 2000. He also used to have an equivalent patent in Europe. But Dotcom's European patent was revoked in 2011 largely because AT&T had a patent on the same technology with a priority date from 1995. (Thanks to Emily Weal of patent law firm Keltie for pointing out Dotcom's European patent travails in the IP Copy blog.)

While Dotcom's patent in the US is still in force, AT&T also has a US patent pre-dating his. The Guardianpointed out that Ericsson and Nokia also have patent filings for two-factor systems predating Dotcom's.

The two factors in two-factor authentication are generally something you know and something you have. You know your password and type it in to a website, and you have a device (typically a cell phone) that receives a one-time code from the online service and must be typed in as well. In such a system, a hacker has to steal your password and your authentication device to get in to your account. In addition to cell phones, products like RSA's SecurID devices can generate security keys for use in two-factor systems.

While Dotcom castigated major tech companies for stealing his invention, he tweeted, "I never sued them. I believe in sharing knowledge & ideas for the good of society. But I might sue them now cause of what the U.S. did to me."

But he may not want to spend the money to pursue such a lawsuit because of the ongoing US case against him for copyright infringement. Dotcom further tweeted that "All of our assets are still frozen without trial. Defending our case will cost USD 50M+. I want to fight to the end because we are innocent."

Instead of suing the likes of Google, Facebook, and Twitter, Dotcom offered an alternative: they can just pay him without going to trial. "Google, Facebook, Twitter, I ask you for help," he tweeted. "We are all in the same DMCA boat. Use my patent for free. But please help funding my defense."

UPDATE: Dotcom has since tweeted that "My U.S. 2FA patent has no prior art because it specifies the use of a mobile phone & SMS. Unfortunately my EU patent wasn't specific enough. The prior art that killed my EU patent was an old school pager."

The AT&T patent pre-dating Dotcom's does focus mostly on pagers, but notes that "it will be obvious to those skilled in the art that many other communications mechanisms may be used instead of, or in addition to, wireless paging devices. These mechanisms include, for example, cellular telephones, conventional wired telephones, personal computers, etc."

Dotcom's later patent filing similarly gives both pagers and cellular phones as examples of devices that could be used in two-factor authentication systems. Dotcom's patent makes 17 references to pagers or paging systems, 21 references to phones, and one reference to SMS.

Dotcom further tweeted that he is implementing two-factor authentication in his new storage service, Mega.

Promoted Comments

The book Applied Cryptography, an extensive work on the subject describes multiple-factor authentication.

The book describes that at the most basic level, you can prove your identity three ways:1. Something you know (password, PIN, passphrase)2. Something you have (ATM card, RSA fob device, building key, passport, etc)3. Something you are (fingerprint, retina scan, voiceprint, DNA, how you type, pressure patterns of your handwriting, etc)

Banks have used two factor authentication for years. An ATM wants something you Know (PIN) and something you have (plastic card).

The military often uses something you Are and something you Know. The guard must personally recognize you and you better know the password of the day. Failure around nukes is pretty much guaranteed to get you shot.

Google uses something you Know (password) and something you have (your mobile phone with a pre arranged app).

Just to add a bit more, off topic, the book describes why people use cryptography. One of the uses is to ensure privacy from government intrusion. The author even describes that one day this may be necessary even for citizens in the United States.

It's been a long, looooong time since I read the book, but I seem to recall it is on about page 100 (maybe 99, or 101), and it is long before September 11, 2001.

He describes that if there were a terrorist attack on the US, perhaps a large attack on, say, New York, that liberties and privacy may be curtailed severely.

I just skimmed through the patent text. As with all patents like this, it's vague. It basically just describes what is theoretically possible with present technology.

This patent illustrates what should not be patented. The patent should be limited to what the inventor actually worked on. None of these "data input apparatus" or "monitor" which can be just about anything.

The goal is to grant patents only on what the inventor actually worked on not on things that the idea can theoretically be implemented on. Its only fair and reasonable as it limits the patent protection to what the inventor actually worked on.

Why do you insist on giving him coverage? This is just more of his usual attention seeking garbage. Please, do him and us a favour and stop covering him unless it really is of actual benefit.

I've seen a bunch of articles about this already, but they hadn't discovered the prior patents which invalidated his claims when they published. Printing articles which make that clear change the spin of the story pretty dramatically and give a more accurate outline of the situation

Also wtf Kim, trying to guilt trip people into paying for your defence? Don't start undermining what little credibility you have, you've done well so far to get as much public support as you have

It seems odd to me that this is not considered obvious. Two factor authentication is really no different that any old form of two step physical access. Think nuke codes (the football), secure doors, etc. A password is no different than a key. Stealing a key is like steeling a password. BUT if you need a key and a combination (IE two factor authentication) then they key is useless without the other piece of knowledge.

I guess I am not seeing how something patented in the 90s is anything more than a progression from physical to virtual security... The concept does not really change.

It seems odd to me that this is not considered obvious. Two factor authentication is really no different that any old form of two step physical access. Think nuke codes (the football), secure doors, etc. A password is no different than a key. Stealing a key is like steeling a password. BUT if you need a key and a combination (IE two factor authentication) then they key is useless without the other piece of knowledge.

I guess I am not seeing how something patented in the 90s is anything more than a progression from physical to virtual security... The concept does not really change.

It seems odd to me that this is not considered obvious. Two factor authentication is really no different that any old form of two step physical access. Think nuke codes (the football), secure doors, etc. A password is no different than a key. Stealing a key is like steeling a password. BUT if you need a key and a combination (IE two factor authentication) then they key is useless without the other piece of knowledge.

I guess I am not seeing how something patented in the 90s is anything more than a progression from physical to virtual security... The concept does not really change.

It seems odd to me that this is not considered obvious. Two factor authentication is really no different that any old form of two step physical access. Think nuke codes (the football), secure doors, etc. A password is no different than a key. Stealing a key is like steeling a password. BUT if you need a key and a combination (IE two factor authentication) then they key is useless without the other piece of knowledge.

I guess I am not seeing how something patented in the 90s is anything more than a progression from physical to virtual security... The concept does not really change.

It seems odd to me that this is not considered obvious. Two factor authentication is really no different that any old form of two step physical access. Think nuke codes (the football), secure doors, etc. A password is no different than a key. Stealing a key is like steeling a password. BUT if you need a key and a combination (IE two factor authentication) then they key is useless without the other piece of knowledge.

I guess I am not seeing how something patented in the 90s is anything more than a progression from physical to virtual security... The concept does not really change.

You would hope the patent explains the implementation, but I doubt it. You should have to patent your implementation. That truly is novel, but there are probably 100 ways to do it so the patent wouldn't be able stifling innovation effectively enough for the holder.

The book Applied Cryptography, an extensive work on the subject describes multiple-factor authentication.

The book describes that at the most basic level, you can prove your identity three ways:1. Something you know (password, PIN, passphrase)2. Something you have (ATM card, RSA fob device, building key, passport, etc)3. Something you are (fingerprint, retina scan, voiceprint, DNA, how you type, pressure patterns of your handwriting, etc)

Banks have used two factor authentication for years. An ATM wants something you Know (PIN) and something you have (plastic card).

The military often uses something you Are and something you Know. The guard must personally recognize you and you better know the password of the day. Failure around nukes is pretty much guaranteed to get you shot.

Google uses something you Know (password) and something you have (your mobile phone with a pre arranged app).

Just to add a bit more, off topic, the book describes why people use cryptography. One of the uses is to ensure privacy from government intrusion. The author even describes that one day this may be necessary even for citizens in the United States.

It's been a long, looooong time since I read the book, but I seem to recall it is on about page 100 (maybe 99, or 101), and it is long before September 11, 2001.

He describes that if there were a terrorist attack on the US, perhaps a large attack on, say, New York, that liberties and privacy may be curtailed severely.

While Dotcom is easy to dislike (heck, it's almost obligatory) he sorta does have a point. The patent, even if it never should have been issued, is currently valid. Until it's overturned, he should theoretically be paid royalties. He certainly needs the money, and I almost believe him when he says that's why he's pursuing this.

Remember, this is not an era where Wrong vs. Right matters; it's the age of "What can I legally get away with?" Untold Ars articles demonstrate that. On the plus side, that same lack of funds (and certain travel... inconveniences) make it pretty certain he can't pursue this very far.

Sorry, but I have already patented N+1 to ∞ factor authentication, where N is whatever was the highest factor already patented at the time of my application (if the patent office can't be bothered to research that, when granting patents to people like Mr. Dotcom, then why should I?)

Has he ever done anything himself? Doesn't he just pay freelancers to "hack" for him or lie about things he's done? He sounds like the classic unqualified braggart who bullshits his way to the top, he can't even be good at video games without paying someone else to boost up his rank.

two-factor identification, regardless of the particular form it takes, should NOT even be a patentable item.no doubt someone has a patent on the use of passwords to log into websites and accounts. Theorhetically the use of a USERNAME and PASSWORD could be considered a form of two-factor identification. wish i had patented that 30 years ago. I could sue every individual human being and entity on the plantet. (I could get Prenda Law to help me!!)

"While Dotcom's patent in the US is still in force, AT&T also has a US patent pre-dating his. The Guardian pointed out that Ericsson and Nokia also have patent filings for two-factor systems predating Dotcom's."

I just skimmed through the patent text. As with all patents like this, it's vague. It basically just describes what is theoretically possible with present technology.

This patent illustrates what should not be patented. The patent should be limited to what the inventor actually worked on. None of these "data input apparatus" or "monitor" which can be just about anything.

The goal is to grant patents only on what the inventor actually worked on not on things that the idea can theoretically be implemented on. Its only fair and reasonable as it limits the patent protection to what the inventor actually worked on.

Sorry, but I have already patented N+1 to ∞ factor authentication, where N is whatever was the highest factor already patented at the time of my application (if the patent office can't be bothered to research that, when granting patents to people like Mr. Dotcom, then why should I?)

I am hereby patenting ∞+1 factor authentication, as well as ∞+2 factor.

They're the same thing you say? I pity you, fool.

Why, I'll patent ∞+x factor authentication, for all values of x up to ∞+1! Double infinity factor! Twice as good! Look, go argue your cute nerd talk in the corner with that other geek guy who claims this is all nonsense.

Two factor systems have been in use since the early 70s (and possibly before, but I only have personal experience and first hand knowledge of it since the early 70s).

In order to access certain things you needed a magnetic key (which you kept on your person and pulled out to place into the correct slot or set against the key reader) and the combination to the tumbler. Thus something you had (the magnetic key) and something you knew (the combination). In some cases you had to be with someone else who had access too -- thus two independent sets of two factor to get access.

However beyond even that, we've all read about and/or seen movies about the U.S. ICBM missile crews. They very likely had two factor back to the 60s -- each of the two man crew had a physical key (something they had) and they were supplied codes (something they knew) -- both of which needed to be utilized in order to access the launch sequence.

Since both my personal experience and the ICBM missile crew procedures predate Kim Dotcom's birth, unless he has a time machine hidden somewhere, I can state with 100% surety that it is impossible for him to have invented two factor security.